Port Ranges
• Ports 0 to 1023 are Well-Known Ports.
• Ports 1024 to 49151 are Registered Ports (often registered by a software developer to
designate a particular port for their application)
• Ports 49152 to 65535 are Public Ports.
Traffic Analysis - Wireshark
Configure Name Resolution
- Make a new profile
- Make a “hosts” file with format “ip hostname”
- Place that “hosts” file in the ~/.config/wireshark/configprofilename/ folder
- open pcap file, select your configuration profile, and ensure “view>>name
resolution>>resolve network/transport address names” is checked
Configure Ports
- Go to “Edit>>preferences>>columns” and add src and dst ports to the display
Figuring out what multi-cast goes too
- Fill out “hosts” and “services” file if you can
- Click on various multi-cast products – generally the parameters will identify what the
application is with a version or the company that made it.
Query for Common Ports
• tcp.dstport >= 0 and tcp.dstport <= 10000 || tftp || dns
Saving off filters to make capture smaller
- Apply a filter
- Click “File>> Export Specified Packets” then save them to a file
Search for Strings
• Edit >> find packet
Extracting files
• file >> export objects
Find Hashes
• net-creds.py file.pcap
Changing Parameters in the Packets
Download: Penetration Testing.pdf (938.2 KB) (Tools referrence included in pdf)
Enjoy!